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I . SUMMARY 

A.  The  LOX-30  Liquid  Oxygen  Generator  is  an  air  transportable  unit, 
comprised  of  five  modules,  which  is  capable  of  producing  high  purity 
liquid  oxygen.  Plant  operation  is  essentially  automatic  subsequent 
to  an  initial  start-up  period  of  approximately  six  hours  to  reach 
steady  state  conditions.  Safety  devices  are  provided  to  prevent 
over-pressurlzatlon  of  the  system  plumbing  and  to  initiate  system 
shut  down  in  event  of  component  failure  or  malfunction.  Data  indi- 
cate that,  with  the  exception  of  the  cold  box  oxygen  storage  vessel 
relief  valve  location,  the  LOX-30  Liquid  Oxygen  Generator  does  not 
present  a significant  personnel  hazard.  The  cryogenerator  engine 
requires  close  tolerances  and  is  vulnerable  to  deficiencies  in  oper- 
ating and  maintenance  procedures  and  techniques. 

B.  The  Safety  Analysis  Includes  a Fault  Hazard  Analysis  of  thirteen 
components  selected  from  the  Failure  Mode  and  Effects  Analysis.  An 
Observed  Hazard  Analysis,  based  on  plant  operation  during  reliability 
and  maintainability  testing  at  the  Naval  Air  Engineering  Center,  inves- 
tigated fifteen  potential  operational  safety  hazards. 

C.  Twenty-seven  hazard  classifications  were  assigned.  The  Fault  Hazard 
Analysis  produced  thirteen  component  hazard  classifications:  four  Cat- 
egory II,  Marginal  and  nine  Category  III,  Critical.  Fourteen  hazard 
classifications  resulted  from  the  Observed  Hazard  Analysis:  four  Cat- 
egory I,  Negligible;  five  Category  II,  Marginal;  four  Category  III, 
Critical  and  one  Category  IV,  Catastrophic.  The  Category  IV  hazard 
classification  was  assigned  to  the  location  of  the  product  storage 
vessel  relief  valve.  All  hazard  classifications  can  be  reduced  by 
minor  system  design  changes,  adherence  to  established  safety  precau- 
tions, compliance  with  operating  and  maintenance  publications  and 
posting  warning/advisory  placards  within  the  LOX-30  facility  spaces. 
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I I . PREFACE 

The  LOX-30  Liquid  Oxygen  Generator  Is  a modularized  air  transportable 
unit  for  the  production  of  high  purity  liquid  oxygen.  The  Safety  Anal- 
ysis was  performed  to  Identify  and  qualitatively  evaluate  operating 
characteristics  and  component  failure  modes  which  might  present  haz- 
ards to  personnel  or  equipment.  A Fault  Hazard  Analysis  of  thirteen 
potentially  safety  related  components  yielded  thirteen  component  haz- 
ard classifications.  An  Observed  Hazard  Analysis  of  fifteen  operational 
safety  areas  resulted  In  the  assignment  of  fourteen  hazard  classifica- 
tions. Minor  system  design  changes,  adherence  to  established  opera- 
tional and  maintenance  safety  precautions,  and  proper  compliance  with 
maintenance  requirements  and  technical  publications  will  mitigate  the 
hazards. 
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V.  SAFETY  ANALYSIS 

A.  BACKGROUND.  The  LOX-30  Liquid  Oxygen  Generator  is  a modularized, 
air  transportable  unit  designed  to  produce  liquid  oxygen  used  in  ser- 
vicing aircrew  survival  equipment,  medical  units  and  aviators'  breath- 
ing oxygen  systems.  Units  are  planned  for  Installation  at  overseas 
Naval  Air  Stations,  to  be  co-located  with  the  PLN-430  Liquid  Nitrogen 
Ganarator . 

B.  PURPOSE.  This  analysis  was  performed  to  Identify  and  qualitatively 
evaluate  any  LOX-30  Liquid  Oxygen  Generator  operating  characteristics 
which  might  present  a hazard  to  personnel  or  equipment.  The  areas  con- 
sidered Include  operation  and  maintenan  i of  the  generating  plant, 
training  requirements,  structural  and  operational  limitations  and  tech- 
nical publications  adequacy. 

C.  DESCRIPTION  OF  EQUIPMENT. 

1.  OPERATION.  The  LOX-30  Liquid  Oxygen  Generator  is  a modularized 
equipment  used  to  produce  high  purity  liquid  oxygen  from  ambient  air, 
prltsarily  for  use  in  the  aviators'  breathing  application.  Subsequent 

to  an  initial  start  up  period  of  about  six  hours  to  achieve  steady  state 
conditions  from  a warm  plant,  operation  is  essentially  automatic  with  a 
nominal  production  rate  of  25  liters  per  hour.  The  equipment  is  designed 
to  operate  unattended  except  for  periodic  monitoring  of  instruments  and 
lubricant  levels.  Predicated  on  scheduled  maintenance  requirements,  con- 
tinuous operation  for  sixty  days  is  achievable.  Plant  shut-down,  for 
■alncenance  or  other  reasons,  up  to  24  hours,  is  permissible  following 
which  steady  state  operation  is  attained  in  about  four  hours.  Shut- 
down for  more  than  24  hours  require  plant  derlmlng  and  a complete 
start-up  cycle.  The  equipment  is  electrically  powered  and  water  cooled. 
External  utility  requirements  are  approximately  110  KW  of  460  volts, 
threa  phase,  60  Hz  electrical  power  and  20  gpm  of  cooling  water.  Elec- 
tric systems  can  be  modified  to  accept  50  Hz  power. 

2.  MODULE  UNITS.  Each  plant  consists  of  five  module  units,  viz., 
air  compressor,  molecular  sieve  station,  cryogenerator , cold  box  sep- 
aration unit  and  system  control  panel. 

a.  The  two  stage  piston  air  compressor,  with  air  cooled  inter- 
cooler, is  driven  by  a 40  HP  motor  and  delivers  140  cfm  at  80  psig. 
Coaprassor  discharge  air  is  cleaned  in  the  molecular  sieve  station  then 
usad  as  process  input  for  subsequent  separation  into  product  liquid 
oxygen  and  tall  gas  nitrogen.  The  air  compressor  is  provided  with  oper- 
ation monitoring  devices  and  safety  devices  to  provide  protection 
against  over  pressurization  and  inadequate  lubrication.  Details  of 
monitoring  and  safety  devices  will  be  developed  in  subsequent  paragraphs. 
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b.  The  molecular  sieve  station  Is  comprised  of  a water  cooled 
aftercooler,  a cartridge  filter  water  separator,  an  activated  alumina 
oil  separator,  two  molecular  sieve  adsorbers,  an  electric  heater  and 
associated  plumbing,  valves  and  controls.  The  molecular  sieve  adsor- 
bers are  alternately  on  line  or  undergoing  regeneration  at  a 60-90 
minute  cycling  Interval.  The  purpose  of  the  molecular  sieve  station 
Is  to  remove  moisture,  oil,  gaseous  hydrocarbons  and  other  Impurities 
from  the  process  air  prior  to  liquefaction.  Safety  devices  provide 
protection  against  over  pressurization  and  failure  of  the  adsorber 
regeneration  gas  electric  heater. 

c.  The  cryogenerator  Is  a closed  cycle,  four  cylinder  engine 
driven  by  a 60  HP  electric  motor.  The  cryogenerator  process  uses  the 
Stirling  cycle  with  helium  as  the  working  medium.  Cryogenic  tempera- 
tures are  achieved  by  alternate  compression  and  expansion  of  the  work- 
ing medium,  effected  by  an  out-of-phase  piston  and  displacer  operating 
within  each  cylinder.  Heat  generated  within  the  engine  from  friction 
and  helium  compression  Is  removed  by  continuously  flowing  water.  A 
condenser  head  encloses  the  upper  cylinder  area.  The  process  air  Is 
directed  from  the  molecular  sieve  station  through  the  cold  box  heat 
exchanger  to  the  condenser  head  where  Initial  liquefaction  occurs. 
Internal  engine  tolerances  are  extremely  critical  both  to  achieve  the 
required  cold  temperatures  and  to  avoid  engine  self-destruction. 

Safety  devices  are  Incorporated  to  effect  automatic  shut-down  In  event 
of  Insufficient  cooling  water,  lubrication  Interruption,  excessive 
electric  current,  unequal  cylinder  pressures  and  excessive  helium  work- 
ing pressure. 

d.  The  cold  box  Is  a cylindrical  steel  vessel  within  which  the 
liquid  air  from  the  cryogenerator  is  separated  Into  product  liquid  oxy- 
gen and  tall  gas  nitrogen.  Separation  Is  effected  by  rectification 
(fractional  distillation);  nitrogen  being  the  more  volatile,  the  process 
fluid  continues  to  enrich  in  oxygen  attaining  a purity  of  99.5%  or 
greater.  Components  within  the  cold  box  Include  a counterflow  heat 
exchanger,  rectification  column,  condenser,  a seventy  liter  storage 
tank  and  associated  control  valves  and  plumbing.  The  cold  box  Is 
filled  with  perlite  to  Insulate  the  cold  areas  and  thereby  limit  heat 
transfer  with  the  environment.  A 1 KW  electric  heater  Is  used  to 
build  pressure  In  the  storage  tank  to  transfer  product  oxygen  to  a 
pressurized  receptacle  or  prevent  entry  of  Impure  liquid  from  the 
column  during  short  shut-down  periods.  Acetylene  concentration  must 

be  monitored,  particularly  during  shut-down,  because  It  has  a higher 
boiling  temperature  than  oxygen.  Therefore,  as  liquid  oxygen  bolls 
off  the  concentration  of  acetylene  In  the  remaining  fluid  increases. 
Liquid  oxygen  levels  In  the  storage  tank  and  the  column  must  not  drop 
below  80%  of  the  levels  at  plant  shut-down  because  further  evaporation 
could  cause  excessive  acetylene  contamination. 
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e.  The  system  control  panel  contains  Indicating  Instruments, 
Indlcatlng/alarm  lights,  pushbutton  switches  and  an  elapsed  time  meter, 
all  of  which  are  used  in  manual  and  automatic  control  of  the  plant. 

Controls  and  monitoring  Instruments  In  the  cold  box,  molecular  sieve 
station  and  air  compressor  are  also  required  for  operating  the  plant 
and  monitoring  its  performance.  Figure  1,  Appendix  A,  Is  a functional 
block  diagram  which  depicts  the  functional  Interrelationships  of  the 
various  system  modules  and  subsystems. 

3.  INDICATING/MONITORING  DEVICES.  The  LOX-30  is  equipped  with 
gauges  and  Indicator  lights  which  enable  the  operator  to  monitor  plant 
performance  and  provide  subsystem  fault  Indication  in  event  of  auto- 
matic plant  shut-down. 

a.  Air  Compressor. 

(1)  Oil  Pressure  Gauge.  Displays  oil  pressure  in  the  air 
compressor.  Normal  indication  is  21-35  pslg. 

(2)  Intercooler  Pressure  Gauges.  Indicates  pressure  in 
the  Intercooler  between  the  low  pressure  and  high  pressure  cylinders. 

Normal  Indication  Is  30  pslg. 

(3)  Discharge  Pressure  Gauge.  Indicates  air  compressor 
discharge  working  pressure.  Normal  indication  is  70  pslg. 

(4)  Crankcase  Oil  Dip  Stick.  Indicates  the  oil  level  in 
the  compressor  crankcase.  A "max"  level  line  is  inscribed  on  the  dip 
stick. 

b.  Molecular  Sieve  Station. 

(1)  Aftercooler  Water  Flow  Indicator.  A window  in  the  air 
aftercooler  which  provides  a cooling  water  flow  indication. 

(2)  Gas  Flowmeter.  Provides  an  Indication  of  the  amount  of 
regenerating  gas  flowing  through  the  adsorbers.  Normal  Indication  Is 
110-130  on  the  flowmeter  scale. 

c.  Cold  Box. 

(1)  Inlet  Air  Pressure  Gauge.  Indicates  the  pressure  of  the 
inlet  air  from  the  cryogenerator.  Normal  indication  approximately  61  pslg. 

(2)  Column  Pressure  Gauge.  Indicates  the  pressure  at  the 
bottom  of  the  rectification  column.  Normal  indication  is  3.5  pslg. 

(3)  Storage  Vessel  Pressure  Gauge.  Displays  the  pressure 
in  the  liquid  product  storage  tank.  Normal  indication  during  plant 
operation  Is  2 pslg.  Maximum  pressure  when  transferring  liquid  product 
la  29  pslg. 
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(4)  Hampsonmeter . The  hampsonmeter  is  a manometer  type 
Instrument  used  for  reading  the  liquid  level  In  the  rectification  col- 
umn (LI-1)  and  the  storage  tank  (LI-2).  Normal  indication  for  LI-1  is 
9 divisions.  Indications  for  LI-2  are  28-32  divisions  normal,  40  divi- 
sions maximum. 

d.  Cryogenerator . 

(1)  Oil  Level  Sight  Gauge.  Indicates  cryogenerator  crank- 
case oil  level.  Norm-  . indication  is  halfway  up  the  sight  gauge. 

(2)  Temperature  Indicators  In/Out.  Indicate  the  inlet  and 
outlet  temperatures  of  the  cryogenerator  cooling  water. 

(3)  Helium  Charge  Gauge.  Indicates  the  pressure  of  the  cryo- 
generator helium  charge.  Normal  pressure  range  is  200  pslg  minimum  to 
350  pslg  maximum. 

e.  System  Control  Panel. 

(1)  Helium  Pressure  Gauge  (4  ea.).  Displays  helium  pressure 
in  each  cylinder  of  the  cryogenerator.  Normal  average  working  pressure 
is  325  pslg. 

(2)  Cryogenerator  Oil  Pressure  Gauge.  Provides  an  indication 
of  cryogenerator  oil  pressure.  Normal  Indication  is  39  pslg. 

(3)  Ammeter.  Indicates  the  current  drawn  by  one  winding  in 
the  cryogenerator  drive  motor.  Normal  Indication  is  60  amperes. 

(4)  Indicator  Lights.  Provide  an  indication  of  compressor 
and  cryogenerator  on  and  the  subsystem  responsible  for  an  automatic 
plant  shut-down. 

(5)  Elapsed  Time  Meter.  Provides  an  indication  of  cryogen- 
erator operating  time.  Reads  to  9,999.9  hours  then  automatically  resets 
to  zero. 


4.  SAFETY  DEVICES.  Numerous  safety  devices  are  installed  in  the 
LOX-30  to  provide  protection  of  the  plant.  These  devices  are  located 
in  all  modules  of  the  plant. 

a-  Air  Compressor.  Three  safety  devices  are  Installed. 

(1)  Intermediate  Pressure  Relief  Valve.  Protects  the  com- 
pressor against  over-pressurization  of  the  intercooler.  Valve  opens  at 
38-40  pslg. 
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(2)  Discharge  Pressure  Relief  Valve.  Protects  the  LOX-30 
plant  against  over-pressurlzatlon.  Valve  opens  at  approximately  100 
pslg. 

(3)  011  Pressure  Switch.  Protects  compressor  from  damage 
caused  by  Insufficient  lubrication.  Switch  Initiates  automatic  com- 
pressor shut-down  If  oil  pressure  drops  below  7 pslg. 

b.  Molecular  Sieve  Station.  Five  safety  devices  are  Installed 
at  the  molecular  sieve  station. 

(1)  Water  Flow  Sensing  Thermostat.  Provides  protection 
against  Insufficient  cooling  of  process  Input  air.  Initiates  automatic 
system  shut-down  when  aftercooler  discharge  water  temperature  reaches 
II50F. 


(2)  Column  Pressure  Relief  Valve  (900).  Limits  rectifica- 
tion column  pressure  when  plant  Is  temporarily  shut-down.  Valve  opens 
at  1 to  2 bar. 

(3)  Tall  Gas  Relief  Valve  (901).  Limits  column  tall  gas 
pressure  when  plant  Is  In  operation.  Valve  set  to  relieve  at  2 bar. 

(4)  Thermal  Safety  Switch.  Switch  senses  adsorber  regen- 
erating gas  temperature  during  adsorber  switching.  Initiates  system 
shut-down  If  regenerating  gas  temperature  does  not  reach  200°C  within 
four  minutes  after  adsorber  changeover. 

(5)  Temperature  Control  Relay.  Senses  regeneration  gas 
temperature  and  controls  electric  heater  operation.  Turns  off  elec- 
tric heater  current  when  gas  temperature  reaches  300°C. 

c.  Cold  Box. 

Storage  Vessel  Relief  Valve  (911).  Prevents  over-pressurl- 
zatlon of  the  liquid  product  storage  tank  when  the  plant  Is  temporarily 
shut-down  and  while  transferring  liquid  product  to  an  external  recep- 
tacle. Valve  opens  at  29  pslg. 

d.  Cryogenerator . 

(1)  011  Pressure  Switch.  Prevents  cryogenerator  damage  due 
to  Inadequate  lubrication.  The  switch  Initiates  system  shut-down  If  the 
cryogenerator  oil  pressure  drops  below  25  pslg  or  exceeds  75  pslg. 

(2)  Cryogenerator  Cylinder  Temperature  Switch  (4  each).  Each 
cylinder  of  the  cryogenerator  Is  equlpp 'd  with  a temperature  sensing 
switch  to  prevent  damage  due  to  overheating^  System  shut-down  Is  Init- 
iated when  cylinder  temperature  reaches  150°F. 
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(3)  Cryogenerator  Oil  Temperature  Switch.  Senses  the  temper- 
ature of  the  cryogenerator  lubricating  oil  to  prevent  engine  damage  due 
to  Insufficient  lubrication  caused  by  reduced  oil  viscosity.  Initiates 
automatic  system  shut-down  If  oil  overheats. 

(4)  Water  Flow  Sensing  Switch.  Provides  protection  against 
Insufficient  cooling  water  flow.  Senses  the  cooling  manifold  outlet 
water  flow.  Initiates  automatic  system  shut-down  when  the  cryogenera- 
tor cooling  water  outlet  pressure  drops  below  30  pslg. 

(5)  Condenser  Head  Relief  Valve.  Provides  protection  against 
' denser  over-pressurlzatlon  due  to  working  medium  or  process  air  leak- 
ing Into  the  condenser  head  Insulation  space.  Valve  opens  at  2 pslg. 

e.  System  Control  Panel. 

(1)  Helium  Pressure  Limit  Switch  (4  each).  The  helium  pres- 
sure limit  switches  are  built  Into  the  helium  pressure  gauges.  Protec- 
tion of  the  cryogenerator  against  over/under  pressurization  Is  provided 
by  high  and  low  pressure  limit  contacts.  System  shut-down  Is  Initiated 
when  helium  working  pressure  exceeds  375  pslg  or  drops  below  200  pslg. 
Attempts  to  start  the  compressor,  when  helium  pressure  Is  less  than 

200  pslg,  will  result  In  compressor  shut-down  within  ten  seconds. 

(2)  Differential  Pressure  Switch  (2  each).  These  switches 
are  connected  between  the  pressure  gauges  for  cylinders  1 and  3 and 
cylinders  2 and  4 of  the  cryogenerator  engine.  The  switches  sense 
pressure  differences  between  cylinders  which  have  the  piston  and  dis- 
placer unit  In  the  same  relative  positions.  System  shut-down  occurs 
when  differential  pressure  Is  15  pslg. 

(3)  Excess  Current  Cutout.  Protects  the  cryogenerator 
drive  motor  from  continuous  excessive  current.  Relay  Is  adjusted  to 
5.8  times  the  nominal  current  consumption.  Activation  of  the  excess 
current  relay  necessitates  resetting  the  magnetic  line  starters  before 
attempting  to  restart  the  cryogenerator. 

(4)  Zero  Voltage  Safety  Device.  The  star  delta  starting 
relays  protect  the  cryogenerator  drive  motor  from  momentary  Interrup- 
tions of  line  power.  A disruption  of  source  voltage  will  shut-down 
the  system.  Restart  must  be  accomplished  by  normal  starting  pro- 
cedures. 

D.  PROCEDURE.  The  LOX-30  Liquid  Oxygen  Generator  Safety  Analysis  was 
predicated  on  data  gathered  from  a number  of  sources.  The  Failure  Mode 
and  Effects  Analysis  (FMEA)  provided  a broad  area  for  safety  analysis 
by  identifying  the  reasonably  conceivable  failure  modes  of  system  mod- 
ule components.  The  FMEA  provided  sufficiently  detailed  information 
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concerning  system  safety  aspects  to  facilitate  the  formulation  of  a 
Fault  Hazard  Analysis.  3M  data  for  the  Model  B Nitrogen  Llquefier, 
submitted  during  the  period  June  70  through  May  75,  were  examined. 

The  simillarlty  of  the  cryogenerator  in  the  LOX-30  and  the  Model  B 
justified  this  data  review.  The  Reliability  and  Maintainability 
testing  of  the  LOX-30,  performed  at  the  Naval  Air  Engineering  Center, 
provided  Information  from  which  an  Observed  Hazard  Analysis  was  de- 
veloped. The  objective  of  the  observations,  examinations  and  eval- 
uations was  to  achieve  qualitative  results  which  were  analytically 
substantiated  whenever  possible.  This  was  accomplished  to  assign 
realistic  hazard  classifications  to  potential  LOX-30  Liquid  Oxygen 
Generator  failures  and  operating  conditions  which  have  safety  impli- 
cations. 

E.  FAULT  HAZARD  ANALYSIS. 

1.  GENERAL.  Fault  Hazard  Analysis  (FHA)  provides  a systematic 
procedure  for  examining  significant  equipment/component  failure  modes 
determining  the  subsequent  effect  on  the  system  and  Identifying  rela- 
ted system  hazards.  The  LOX-30  Failure  Mode  and  Effects  Analysis  was 
reviewed  and  those  modes  which  had  potential  safety  implications  were 
made  candidates  for  the  FHA.  Appendix  B contains  FHA  and  reflects 
those  components  whose  failure  could  pose  safety  hazards  to  the  equip 
ment  or  to  personnel. 

2.  HAZARD  CLASSIFICATION.  A hazard  is  defined  as  any  real  or 
potential  condition  that  can  cause  injury  or  death  to  personnel  or 
damage  to  equipment  or  property.  The  severity  of  the  hazard  Is  class 
If led  in  accordance  with  "MIL-STD-882 , Systems  Safety  Program  for 
Systems  and  Associated  Sub-systems  and  Equipment".  Hazard  Classifi- 
cations are  as  follows: 

a.  Category  I - Negligible.  Condition(s)  such  that  per- 
sonnel error,  environment,  design  characteristics,  procedural  defi- 
ciencies or  subsystem/component  failure  or  malfunction  will  not 
result  In  system  damage  or  personnel  Injury. 

b.  Category  II  - Marginal.  Condition(s)  such  that  per- 
sonnel error,  environment,  design  characteristics,  procedural  defi- 
ciencies or  subsystem/ component  failure  or  malfunction  can  be  coun- 
tered or  controlled  without  injury  to  personnel  or  major  system 
damage . 


c.  Category  III  - Critical.  Condltlon(s)  such  that  per- 
sonnel error,  environment,  design  characteristics,  procedural  defi- 
ciencies or  subsystem/ component  failure  or  malfunction  will  cause 
personnel  Injury  or  major  system  damage,  or  will  require  immediate 
corrective  action  for  personnel  or  system  survival. 
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d.  Category  IV  - Catastrophic.  Condition (s)  such  that  personnel 
error,  environment,  design  characteristics,  procedural  deficiencies  or 
subsystem/ component  failure  or  malfunction  will  cause  death  or  severe 
Injury  to  personnel  or  system  loss. 


3.  COMPONENTS . Thirteen  components  contained  in  the  Failure  Mode 
and  Effects  Analysis,  for  which  safety  Implications  were  Indicated,  were 
selected  for  Fault  Hazard  Analysis.  Twenty-seven  failure  modes  were  eval- 
uated; twenty-three  hazard  classifications  were  assigned.  The  Fault 
Hazard  Analysis  candidates,  evaluation  summaries,  hazard  classifications, 
and  a discussion  on  resolution  of  hazards  follows: 


a.  Valve.  Regenerating  Gas  Heater  (760).  The  regenerating  gas 
heater  valve  (760)  directs  regenerating  gas  flow  through  the  electric 
heater  during  the  fifteen  minute  gas  heating  period.  At  the  end  of  the 
heating  time,  the  valve  closes  to  by-pass  the  heater  and  route  cool  gas 
directly  to  the  adsorber  under  regeneration.  The  valve  can  stick  in 
either  the  heat  or  by-pass  position.  Should  the  valve  stick  In  the  heater 
position,  regeneration  gas  will  be  continuously  directed  across  the  heater 
element.  Since  the  heater  Is  activated  for  only  fifteen  minutes  of  the 
adsorber  regeneration  cycle,  cooling  of  the  molecular  sieve  would  occur, 
but  at  a slower  rate  until  the  heater  elements  had  cooled  to  gas  tempera- 
ture. Reduced  product  purity  could  result.  This  hazard  Is  mitigated  by 
testing  the  output  product  for  purity.  A Category  I,  Negligible,  hazard 
classification  was  assigned.  Failure  of  the  valve  by  sticking  In  the 
by-pass  position  prevents  tall  gas  from  being  directed  across  the  elec- 
trical heater  element.  Without  this  gas  flow,  the  heating  element  will 
over-heat.  Since  the  temperature  control  relay  (TC-A)  depends  on  gas 
flow  for  heat  transfer  from  the  heating  element  to  the  control  relay 
thermal  sensor,  this  failure  can  result  In  heater  burn-out  and  possible 
gas  plumbing  damage.  A Category  III,  Critical,  hazard  classification 
was  assigned. 


b.  Thermostat,  Temperature  Control  Relay  (TC-A).  The  temperature 
control  relay  thermostat  senses  the  temperature  of  the  heated  regenerating 
gas  and  provides  the  control  signal  to  remove  electric  power  from  the 
heater  when  gas  temperature  reaches  300°C.  The  thermostat  la  subject  to 
two  failure  modes;  failure  to  open  and  failure  to  close.  Failure  of  the 
thermostat  switch  to  open  would  allow  power  to  be  constantly  applied  to 
the  regenerating  gas  heating  element.  Excessively  high  regenerating  gas 
temperature  could  result  and  the  heating  element  could  burn  out.  A Cat- 
••  egory  III,  Critical,  hazard  classification  was  assigned.  Failure  of  the 

thermostat  switch  to  close,  after  It  has  opened,  would  result  In  system 
shut-down  within  four  minutes  after  the  gas  cools  below  200°C  due  to  the 
action  of  safety  thermostat  (TA-5)  and  the  four  minute  time  relay  (T-1). 

A hazard  classification  was  not  assigned. 


a 
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c.  Thermostat.  Safety  (TA-5) . The  safety  thermostat  prevents 
operating  the  plant  with  unregenerated  adsorbers.  The  thermostat  causes 
automatic  system  shut-down  In  the  event  adsorber  regenerating  gas  has  not 
reached  200°C  within  four  minutes  after  adsorber  switching.  The  thermo- 
stat Is  subject  to  two  failure  modes;  failure  to  open  and  failure  to 
close.  Failure  to  open  would  cause  the  plant  to  shut-down  with  a pro- 
perly operating  gas  heater;  a nuisance  shut-down.  No  hazard  classifica- 
tion was  assigned.  Failure  of  the  thermostat  to  close,  after  It  has 
opened,  will  disable  the  Insufficient  regenerating  gas  temperature  time 
relay  (T-1)  which  will  allow  plant  operation  with  Inadequately  regener- 
ated adsorber  If  the  regeneration  gas  heater  falls.  Product  purity  will 
decrease.  A Category  II,  Marginal,  hazard  classification  was  assigned. 

d.  Valve,  Tall  Gas  Relief  (901).  The  tall  gas  relief  valve 
prevents  over-pressurlzatlon  of  the  column  during  plant  operation.  Two 
failure  modes  were  analyzed;  valve  opens  at  higher  than  specified  pres- 
sure and  failure  to  close.  Valve  opening  at  higher  than  specified  pres- 
sure causes  an  Increased  pressure  In  tall  gas  plumbing  and  the  rectifi- 
cation column.  A Category  II,  Marginal,  hazard  classification  was 
awarded.  Failure  of  the  valve  to  close  will  continuously  vent  tall  gas 
to  the  atmosphere.  A Category  II,  Marginal,  hazard  classification  was 
awarded.  A failure  of  this  valve  would  be  associated  with  another 
system  component  failure  or  an  operational  procedure  error  which  resul- 
ted In  raising  the  rectification  column  pressure. 

e.  Valve.  Column  Pressure  Relief  (900).  The  column  pressure 
relief  valve  prevents  over-pressurlzatlon  of  the  rectification  column 
during  periods  of  temporary  plant  shut-down.  Two  failure  modes  were 
analyzed,  valve  opens  at  higher  than  specified  pressure  and  failure  to 
close.  Valve  opening  at  higher  than  specified  pressure  would  result 
In  transfer  of  Impure  liquid  from  the  column  to  the  storage  tank.  The 
occurrence  of  this  failure  mode  is  considered  unlikely,  therefore,  a 
Category  II,  Marginal,  hazard  classification  was  assigned.  Failure  cf 
the  valve  to  close  would  reduce  column  pressure  and  cause  more  rapid 
boll-off  of  column  liquid.  Contamination  of  the  column  liquid  would 
result.  This  hazard  can  be  mitigated  by  sampling  the  column  liquid 

and  derlmlng  the  plant  before  liquid  purity  approaches  hazardous  levels. 

A Category  II,  Marginal,  hazard  classification  was  assigned.  Failures 
to  this  valve  would  be  precipitated  by  another  system  failure  which 
raised  column  pressure  sufficiently  to  necessitate  opening  of  the  valve. 

f.  Valve,  Float  Controlled  Column  Inlet  (120).  The  float  con- 
trolled column  Inlet  valve  controls  entry  of  process  air  into  the  rec- 
tification column.  Air  Inlet  Is  dependent  on  the  condenser  liquid  level. 
Two  failure  modes,  sticking  open  and  sticking  closed,  were  analyzed. 
Failure  of  the  valve  by  sticking  open  permits  process  air  to  enter  the 
column  continuously  and  reduce  the  column  temperature.  Liquid  product 
purity  will  decrease.  A Category  II,  Marginal,  hazard  classification 
was  assigned.  Failure  of  the  valve  by  sticking  closed  has  more  serious 
considerations.  Process  air  cannot  enter  the  column  which  will  reduce 
the  air  flow  through  the  cryogenerator  and  cause  the  condenser  head  to 
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become  excessively  cold.  With  no  Input  to  the  column,  process  fluid 
will  drain  from  the  column  and  reduce  output  product  purity,  t/hen  col- 
umn liquid  level  has  decreased  sufficiently  to  close  the  float  controlled 
transfer  valve  (236),  gaseous  oxygen  will  boll-off  the  liquid  trapped  In 
the  column  and  possibly  result  In  acetylene  enrichment  of  the  column 
fluid.  A Category  III,  Critical,  hazard  classification  was  assigned. 

g.  Valve,  Float  Controlled  Transfer  (236).  The  float  con- 
trolled transfer  valve  controls  the  rate  at  which  liquid  product  Is 
transferred  to  the  storage  tank.  Additionally,  this  valve  controls  the 
liquid  level  In  the  column  effecting  product  purity.  Two  failure  modes 
were  analyzed,  sticking  open  and  sticking  closed.  Should  the  valve  fall 
In  the  open  position  liquid  will  be  transferred  too  rapidly  to  the  stor- 
age tank  and  product  purity  will  decrease.  A Category  II,  Marginal, 
hazard  classification  was  assigned.  Failure  of  the  valve  In  the  closed 
position  prevents  transfer  of  liquid  product  from  the  column  to  the 
storage  tank.  Liquid  level  In  the  rectification  column  and  the  conden- 
ser will  Increase  until  the  float  controlled  column  Inlet  valve  (120) 
closes.  Air  flow  through  the  cryogenerator  will  decrease  and  the  cryo- 
generator  will  become  excessively  cold.  A Category  III,  Critical,  haz- 
ard classification  was  assigned. 

h.  Valve,  Storage  Tank  Vent  (281).  The  storage  tank  vent 
valve  provides  for  venting  gaseous  oxygen  from  the  storage  tank  during 
plant  production,  pressurizing  the  storage  vessel  to  transfer  product 
output  to  a pressurized  receptacle  and  pressurizing  the  storage  vessel 
to  prevent  column  liquid  transfer  during  temporary  plant  shut-down  per- 
iods. Two  failure  modes,  sticking  open  and  sticking  closed,  were  anal- 
ysed. Failure  of  the  valve  In  the  open  position  presents  a nuisance 
factor  If  liquid  product  Is  to  be  transferred  to  a pressurized  recep- 
tacle. Upon  plant  shut-down,  column  liquid  will  be  transferred  to  the 
storage  vessel  until  the  float  controlled  transfer  valve  (236)  closes. 

A Category  I,  Negligible,  hazard  classification  was  assigned.  Failure 
of  the  valve  In  the  closed  position  prevents  transfer  of  liquid  from 
the  column  If  storage  tank  product  transfer  valve  (240)  Is  closed. 

Column  liquid  level  will  Increase  until  process  air  to  the  column  Is 
shut  off  at  which  time  the  cryogenerator  will  become  excessively  cold 
due  to  reduced  air  flow.  The  hazard  can  be  lessened  by  opening  stor- 
age tank  product  transfer  valve  (240).  A Category  III,  Critical, 
hazard  classification  was  assigned. 

1.  Valve,  Storage  Tank  Product  Transfer  (240).  The  storage 
tank  product  transfer  valve  controls  outflow  of  liquid  product  from  the 
plant  storage  vessel  to  an  external  storage  receptacle.  The  failure 
modes  sticking  open  and  sticking  closed  were  analyzed.  Sticking  In 
the  open  position  prevents  regulating  product  off-take.  A Category 
II,  Marginal,  hazard  classification  was  awarded.  Sticking  of  the  valve 
In  the  closed  position  prevents  transfer  of  product  from  the  storage 
tank  which  will  cause  the  fluid  level  In  the  tank  to  rise  until  liquid 


I 
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oxygen  is  vented  out  the  storage  tank  vent  line.  Correction  requires 
derlmlng  the  plant.  A Category  III,  Critical,  hazard  classification 
was  assigned. 

j . Valve.  Storage  Tank  Relief  (911).  The  storage  tank  relief 
valve  prevents  over-pressurlzatlon  of  the  product  storage  tank  during 
periods  when  the  plant  Is  temporarily  shut-down  or  when  transferring 
product  liquid  to  a pressurized  external  receptacle.  Two  failure  modes 
were  analyzed;  failure  to  open  at  specified  valve  and  failure  to  close. 
Failure  of  the  relief  valve  to  open  at  prescribed  pressure  results  In 
over-pressurlzatlon  of  the  tank.  Severe  plumbing  and  structural  damage 
can  occur,  however,  the  probability  of  this  failure  is  low  and  the  haz- 
ard can  be  mitigated  by  opening  the  storage  vessel  vent  valve.  A Cat- 
egory III,  Critical,  hazard  classification  was  assigned  to  this  failure 
mode.  Failure  of  the  relief  valve  to  close  will  vent  gaseous  oxygen 
continuously  from  the  storage  vessel  and  reduce  storage  tank  pressure. 
Liquid  boll-off  will  be  accelerated  and  liquid  In  the  column  may  be 
transferred  to  the  storage  tank.  Derlmlng  the  plant  Is  required  If 
storage  tank  liquid  level  drops  to  less  than  80%  of  the  level  at  plant 

i shut-down.  A Category  III,  Critical,  hazard  classification  was  awarded. 

k.  Switch,  Cryogenerator  Oil  Pressure.  The  cryogenerator  oil 

I , system  can  provide  Inadequate  lubrication  If  pressure  Is  below  25  pslg. 

Should  oil  pressure  rise  above  75  pslg,  an  oil  by-pass  opens  to  return 
a large  portion  of  the  oil  to  the  crankcase  to  protect  internal  engine 
plumbing.  The  oil  pressure  switch  Initiates  system  shut-down  to  protect 
the  cryogenerator  engine  from  damage  due  to  Insufficient  lubrication 
should  either  of  these  pressure  limits  be  exceeded.  Three  failure  modes 
were  analyzed,  failure  of  the  switch  to  open  above  25  pslg,  failure  of 
the  switch  to  close  below  25  pslg  and  failure  of  the  switch  to  close 
I above  75  pslg.  Failure  of  the  switch  to  open  above  25  pslg  will  cause 

the  system  to  shut-down  as  soon  as  the  cryogenerator  start  button  Is 
released.  No  damage  to  the  cryogenerator  will  result,  however,  the 
fault  must  be  corrected  before  the  plant  can  be  operated.  Evaluated  as 
a nuisance  shut-down,  no  hazard  classification  was  assigned.  Failure  of 
the  switch  to  close  below  25  pslg  oil  pressure  will  permit  the  cryogen- 
erator to  continue  to  run  with  Inadequate  flow  of  cooling  and  lubrica- 
ting oil.  The  engine  will  overheat  and  possibly  sustain  internal  dam- 
age. The  hazard  Is  lessened  by  the  cylinder  temperature  switches, 
installed  on  each  cylinder,  which  Initiate  engine  shut-down  when  the 
external  cylinder  temperature  reaches  150°F.  A Category  II,  Marginal, 

**  hazard  classification  was  awarded.  Failure  of  the  oil  pressure  switch 

to  close  at  pressures  above  75  pslg  allows  the  engine  to  run  with  re- 
duced oil  flow  through  the  cylinder  cooling  jackets.  The  engine  will 
i overheat  and  possibly  sustain  Internal  damage.  This  hazard  Is  mltl- 

I gated  by  the  cylinder  external  temperature  switches,  explained  above. 

A Category  II,  Marginal,  hazard  classification  was  awarded  due  to  the 
low  probability  of  occurrence  and  the  protection  provided  by  the 
cylinder  temperature  switches.  A failure  in  the  cryogenerator  oil 
system  would  be  required  to  cause  a failure  of  the  oil  pressure  switch. 
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1.  Switch,  Helium  Pressure  Cutout.  The  helluzo  pressure  cutout 
switch  Is  an  Integral  part  of  the  cryogenerator  cylinder  gauge(s).  When 
cylinder  average  working  pressure  rises  above  375  pslg  or  drops  below 
200  pslg  the  switch  closes  and  Initiates  automatic  system  shut-down. 

Two  failure  modes  which  have  safety  Implication,  switch  falls  to  close 
below  200  pslg  or  above  375  pslg,  were  analyzed.  A third  failure  mode, 
switch  falls  to  open  above  200  pslg,  does  not  have  safety  connotations, 
but  does  result  In  nuisance  shut-down  of  the  plant.  Failure  of  the 
switch  to  close  below  200  pslg  cylinder  working  pressure  will  result  In 
the  plant  producing  little  or  no  liquid  output  due  to  Insufficient  cryo- 
genic action.  The  hazards  of  this  failure  are  lessened  by  monitoring 
cylinder  pressure  gauges  and  the  liquid  level  In  the  column  and  manually 
securing  the  plant.  A Category  II,  Marginal,  hazard  classification  was 
assigned.  Failure  of  the  switch  to  close  at  cylinder  working  pressure 
above  375  pslg  can  result  In  severe  Internal  damage  to  the  cryogenerator. 
Engine  temperature  will  rise  due  to  heat  of  excessive  compression,  excess- 
ive current  will  be  drawn  by  the  cryogenerator  drive  motor  and  output 
product  purity  will  decrease.  The  excess  current  cutout  relay  guards 
against  excessive  motor  current  and  the  cylinder  temperature  switches 
provide  protection  against  engine  overheating.  Product  purity  decrease 
Is  detectable  by  sample  testing  of  liquid  output  product.  A Category 
III,  Critical,  hazard  classification  was  assigned. 


m.  Switch,  Differential  Pressure  (2  each).  Differential  pres- 
sure switches  are  connected  between  the  output  of  cryogenerator  cylin- 
ders which  have  the  pistons  in  the  same  relative  position  at  the  same 
time.  Switches  are  connected  between  cylinders  1 and  3 and  cylinders 
2 and  4.  The  switches  close  to  Initiate  automatic  system  shut-down 
when  the  pressure  differential  between  matching  cylinders  reaches  15 
pslg.  Two  failure  modes  were  analyzed;  switch  closes  at  too  low  pres- 
sure differential  and  switch  falls  to  close.  Failure  of  the  differen- 
tial pressure  switch  to  close  will  permit  the  engine  to  continue  oper- 
ating with  Internal  failure  such  as  a collapsed  displacer  dome,  piston 
ring  leakage  or  displacer  ring  leakage.  Continued  engine  operation 
under  these  conditions  can  cause  a relatively  minor  Internal  failure  to 
degenerate  Into  severe  engine  damage.  The  effect  of  differential  switch 
failure  to  close  can  be  lessened  by  monitoring  cylinder  pressure  gauges 
and  manually  securing  the  plant.  A Category  III,  Critical,  hazard  class- 
ification was  assigned.  Differential  pressure  switch  closure  at  low 
pressure  differentials  will  cause  unnecessary  automatic  shut-down  of 
the  plant,  however,  damage  to  cryogenerator  will  not  be  sustained.  A 
hazard  classification  was  not  assigned  to  this  failure  mode. 


4.  HAZARD  CLASSIFICATIONS.  Hazard  classifications  were  assigned 
to  all  of  the  components  selected  for  Fault  Hazard  Analysis.  Multiple 
failure  inodes  were  evaluated  for  all  components  and,  where  appropriate, 
different  hazard  classifications  were  assigned  to  the  individual  fail- 
ure modes.  The  hazard  classification  assigned  to  a component  was  the 
most  severe  classification  awarded  to  any  failure  mode  of  that  component. 
Category  II,  Marginal,  hazard  classification  was  assigned  to  four  com- 
ponents; Category  III,  Critical,  was  assigned  to  nine  components.  The 
hazard  classification  assigned  to  each  component  Is  shown  in  Table  1. 
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TABLE  I 

COMPONENT  HAZARD  CLASSIFICATION 


COMPONENT 

Thermostat,  Safety  (TA-5) 

Valve,  Tail  Gas  Relief  (900) 

Valve,  Column  Pressure  Relief  (901) 

Switch,  Cryogenerator  Oil  Pressure 
Valve,  Regenerating  Gas  Heater  (760) 
Thermostat,  Control  (TC-4) 

Valve,  Float  Controlled  Column  Inlet  (120) 
Valve,  Float  Controlled  Transfer  (236) 
Valve,  Storage  Tank  Vent  (281) 

Valve,  Storage  Tank  Product  Outlet  (240) 
Valve,  Storage  Tank  Relief  (911) 

Switch,  Helium  Pressure  Cut-Out 
Switch,  Differential  Pressure 

5.  Discussion  and  Resolution  of  Fault 
ment.  Appendix  D. 


HAZARD  CLASSIFICATION 
II 
II 
II 

II 

III 
III 
III 
III 
III 
III 
III 
III 
III 

Hazards  provided  as  attach- 


F.  SHIPS  3M  DATA. 


1.  Ships'  3M  data  for  the  Model  B Nitrogen  Llquefler  were  examined 
for  Information  related  to  the  cryogenerator.  Data  reviewed  covered  a 
reporting  period  from  June  1970  to  May  1975.  The  slmlllarlty  between  the 
cryogenerators  of  the  Model  B and  the  LOX-30  justified  this  data  review. 
Salient  facts  obtained  from  3M  data  are  as  follows: 

a.  Technical  Publlcatlcn.  The  complexity  of  the  cryogenerator 
requires  that  the  technical  publication  thoroughly  expound  on  the  theory 
of  operation,  contain  explicit  Instructions  for  operating  and  maintaining 
the  unit  and  Include  a comprehensive  Illustrated  parts  breakdown.  3M 
data  contained  twenty  Instances  which  specified  Inadequate  publications 
or  procedures  as  the  cause  of  the  difficulty;  two  requests  for  technical 
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assistance  to  determine  the  cause  of  cryogenerator  faults  Implied  techni- 
cal publication  Inadequacy.  The  technical  publication  for  the  Model  B 
"NAVSHIPS  0923-004-9010  TECHNICAL  MANUAL  FOR  MODEL  B NITROGEN  LIQUEFIER", 
while  reported  Inadequate  Is  far  superior  to  the  LOX-30  data  package  tech- 
nical publication,  "TECHNICAL  MANUAL  OPERATION  AND  MAINTENANCE  INSTRUC- 
TIONS LOX-30  PORTABLE  LIQUID  OXYGEN  PLANT,  July  1976". 

b.  Maintenance  Training.  The  Stirling  Cycle  cryogenic  process 
demands  that  close  tolerances  be  used  and  adhered  to  In  assembling  and 
repairing  the  cryogenerator.  3M  data  Indicated  that  repair  or  assembly 
deficiencies  were  a factor  In  eleven  of  the  failures  Included  In  the 
data.  Training  courses  for  cryogenerator  maintenance  must  fully  acquaint 
maintenance  personnel  with  the  close  tolerances  Involved  and  stress  strict 
adherence  to  proper  repair  and  assembly  procedures. 

2.  Provided  as  attachment.  Appendix  E. 

G.  NAVAL  AIR  ENGINEERING  CENTER 


1.  The  Naval  Air  Engineering  Center  conducted  reliability  and  main- 
tainability testing  of  the  LOX-30  from  March  to  September  1977  and  accum- 
ulated 1,620  plant  operating  hours.  During  this  testing,  attention  was 
directed  toward  functional  or  environmental  threats  to  either  personnel 
or  plant  safety.  The  following  potential  hazards  were  made  the  subject 
of  an  Observed  Hazard  Analysis. 

a.  Electric  Shock 

b.  High  Temperature  Surfaces 

c.  Low  Temperature  Surfaces 

d.  High  Pressure  Fluids  and  Gases 

e.  Static  Generating  Material 

f.  Toxic  Material 

g.  Mechanical  Vibration 

h.  Floor  and  Overhead  Obstruction 

1.  Rotating  Machinery 

j.  Equipment  Physical  Stability 

k.  Operating  Control  Accessibility 

l.  Atmospheric  Contaminants 

m.  Noise 
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n.  Proximity  of  Incompatible  Systems/Components 

o.  Personnel  Ingress/Bgress 
H.  OBSERVED  HAZARD  ANALYSIS. 

1.  GENERAL.  The  Observed  Hazard  Analysis  provides  a procedure  to 
evaluate  hazardous  conditions  which  are  a result  of  equipment  operation. 

The  criteria  for  hazard  classification  are  the  same  as  those  used  for 
Fault  Hazard  Analysis.  The  Observed  Hazard  Analysis  Is  contained  In 
Appendix  C. 

2.  SAFETY  AREAS.  Fifteen  potential  safety  hazards  which  could  arise 
during  operation  of  the  LOX-30  were  studied.  Fourteen  hazard  classifica- 
tions were  assigned.  The  Observed  Hazard  Analysis  safety  areas,  evalua- 
tion summaries,  hazard  classifications  and  a discussion  on  resolution  of 
hazards  follows: 

a.  Electric  Shock.  The  LOX-30  consumes  approximately  110  KW  of 
electrical  power.  Voltage  present  In  the  plant  are  115V,  230V,  and  380V 
or  460V.  All  voltage  levels  are  potentially  lethal.  Electrical  shock 
hazards  can  be  significantly  reduced  when  simple  precautions  are  taken. 

All  units  of  the  plant  should  be  electrically  bonded  and  properly  grounded. 
Rubber  matting  should  be  Installed  at  all  modules  where  operating  and 
maintenance  personnel  will  come  In  contact  with  the  unit.  Warning  placards 
Indicating  the  voltage  levels  present  should  be  displayed.  Placards  pro- 
viding shock  treatment  and  resuscitation  procedures  should  be  posted  In 
the  plant.  A Category  III,  Critical,  hazard  classification  was  assigned. 

b.  High  Temperature  Surfaces.  The  compressor  discharge  plumb- 
ing contains  air  which  was  heated  to  2520f  above  ambient  temperature  by 
the  compression  process.  Separation  column  tall  gas  which  Is  used  to 
regenerate  the  adsorbers  Is  heated  to  590°F.  This  hazard  can  be  reduced 
by  thermally  Insulating  plumbing  and  plant  units  which  have  elevated  ex- 
ternal surface  temperature.  "Hot  Spot"  placards  should  be  displayed  at 
those  locations  where  the  Installation  of  thermal  Insulation  Is  not  feas- 
ible. A Category  II,  Marginal,  hazard  classification  was  assigned. 

c.  Low  Temperature  Surfaces.  The  cryogenic  process  of  the  LOX- 
30  plant  Is  contained  within  cryogenlcally  Insulated  vessels  and  plumbing. 
The  only  low  temperature  fittings  which  are  normally  exposed  are  the 
liquid  product  discharge  connection  and  the  storage  tank  gaseous  oxygen 
vent  connection,  both  of  which  become  extremely  cold  during  plant  opera- 
tion. This  hazard  can  be  mitigated  by  the  Installation  of  low  tempera- 
ture warning  placards  and  by  ensuring  that  all  operators  wear  required 
protective  clothing.  A Category  I,  Negligible,  hazard  classification 

was  assigned. 
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d.  High  Pressure  Fluids  and  Gases.  The  LOX-30  contains  only 
low  or  medium  pressure  fluids  and  gases.  Process  air  pressure  from  the 
compressor  varies  from  65-87  pslg.  Cooling  water  pressure  Is  normally 
58  pslg.  Cryogenerator  working  medium  pressure  varies  from  200-375  pslg 
and  Is  contained  within  the  cryogenerator  engine.  Little  can  be  effec- 
tively done  to  reduce  the  presence  of  this  hazard,  however,  placards 
advising  the  pressures  present  In  the  plant  should  be  posted.  A Cat- 
egory II,  Marginal,  hazard  classification  was  assigned. 

e.  Static  Generating  Material.  A potential  for  oxygen  enrich- 
ment of  the  atmosphere  In  the  LOX-30  plant  exists.  Synthetic  and  wool 
fabrics  generate  static  electricity  when  relative  humidity  Is  low.  Sta- 
tic electricity  In  an  oxygen  enriched  atmosphere  presents  a fire  hazard. 
A Category  II,  Marginal,  hazard  classification  was  awarded.  This  haz- 
ard can  be  reduced  by  ensuring  that  operating  and  maintenance  personnel 
wear  cotton  clothing.  Placards  warning  of  the  static  electricity  haz- 
ard from  synthetic  or  wool  fabrics  should  be  displayed  in  the  plant 
spaces. 


f.  Toxic  Materials.  The  hampsonmeter  is  filled  with  S-TETRA- 
Bromoethane  liquid,  a poisonous  compound.  When  combined  with  moisture 
it  will  hydrolyze  to  form  an  acid.  During  use  of  the  hampsonmeter,  the 
liquid  can  be  vented  from  the  top  of  the  meter  and  sprayed  on  the  oper- 
ator. A Category  III,  Critical,  hazard  classification  was  assigned. 

This  hazard  can  be  reduced  by  placarding  the  cold  box  control  panel  to 
advise  the  use  of  extreme  caution  when  using  the  hampsonmeter.  A non- 
toxic  fluid  with  the  same  physical  properties  should  be  Investigated 
for  use  In  the  hampsonmeter. 

g.  Mechanical  Vibration.  The  vibration  level  at  the  compressor 
discharge  manifold  is  high.  The  compressor  discharge  line  failed  twice 
during  LOX-30  reliability  and  maintenance  testing  due  to  vibration  from 
the  compressor.  The  studs  used  to  connect  the  compressor  discharge 
flange  to  the  molecular  sieve  flexible  line  flange  were  too  short  to 

be  properly  gripped  by  the  nuts.  Mechanical  vibration  was  awarded  a 
Category  III,  Critical,  hazard  classification.  This  hazard  can  be  coun- 
tered by  designing  a bracket  to  support  the  compressor  discharge  line. 
Connecting  flange  studs  should  be  replaced  with  machine  bolts  to  per- 
mit insertion  of  longer  bolts  If  securing  nuts  do  not  have  sufficient 
grip.  Properly  torqued  metal  stop  nuts  should  be  used  for  plant 
plumbing  connection  to  prevent  loosening  of  nuts  due  to  mechanical 
vibration. 


h.  Floor  and  Overhead  Obstructions.  The  LOX-30  plant  install- 
ation requires  numerous  plumbing  and  cable  runs  along  the  floor  and  over- 
head. Theae  obstructions  present  a tripping  and  bumping  hazard.  A Cat- 
egory I,  Negligible,  hazard  classification  was  assigned  due  to  the  ease 
of  mitigating  the  hazard.  Overhead  plumbing  should  be  at  least  seven 
feet  above  the  floor.  Installation  of  covers  over  floor  level  plumbing 
will  significantly  reduce  the  tripping  hazard.  Display  placards  warning 
of  any  tripping  hazard. 
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1.  Rotating  Machinery.  The  cryogenerator  drive  motor  is 
connected  to  the  engine  by  a flexible  coupling.  The  coupling  is  shiel- 
ded by  a cover  mounted  to  the  cryogenerator  bed  plate.  The  air  com- 
pressor V-belt  connection  to  the  drive  motor  is  shielded  by  a cover 
mounted  on  the  compressor  skid.  A Category  I,  Negligible,  hazard 
classification  was  assigned.  Ensure  that  coupling  and  V-belt  shields 
are  In  position  prior  to  plant  operation. 

j.  Equipment  Physical  Stability.  The  cold  box,  a cylinder  53 
Inches  In  diameter,  94  Inches  high  and  weighing  2,205  pounds,  rests  on 
three  unattached  leveling  stands  twelve  inches  tall.  Vibration  or 
severe  bumping  could  cause  the  cold  box  to  fall  off  the  stands.  Exten- 
sive damage  to  the  plant  or  Injury  to  personnel  could  result  If  the  cold 
box  slipped  off  the  stands.  A Category  III,  Critical,  hazard  classifi- 
cation was  assigned.  This  hazard  Is  considered  unlikely  and  can  easily 
be  countered  by  bolting  the  cold  box  to  the  stands. 

k.  Operating  Control  Accessibility.  The  operating  controls 
and  Indicators  on  the  cold  box  control  panel  and  the  system  control 
panel  can  be  reached  without  stretching  nr  reaching.  The  pressure  gauges 
on  the  air  compressor  skid  require  only  moderate  bending  to  ensure  accur- 
ate readings.  No  hazard  classification  was  assigned. 

l.  Atmospheric  Contaminants.  The  rectification  column  tail  gas 
contains  a high  concentration  of  nitrogen  which  will  not  sustain  life. 
Storage  tank  vent  gas  Is  pure  oxygen  which  would  cause  oxygen  enrichment 
In  the  Immediate  area  of  the  vent  discharge.  Venting  these  gases  Into 
the  plant  enclosure  space  would  result  In  a general  Increase  In  the  nit- 
rogen level  of  the  space  atmosphere.  Such  an  Increase  would  be  hazard- 
ous to  plant  personnel.  A Category  II,  Marginal,  hazard  classification 
was  assigned.  This  hazard  can  be  mitigated  by  ducting  all  plant  vent 
gases  to  the  outside  of  the  plant  enclosure.  Ensure  adequate  plant  ven- 
tilation from  a source  remote  from  plant  gas  discharge  vents. 

m.  Noise.  During  reliability  and  maintainability  testing,  the 
compressor  noise  level  was  measured  at  104  dbA  with  a SPL-103  Sound 
Level  Meter.  The  maximum  unprotected  exposure  to  this  sound  level  Is 
one  hour  pei  lay.  Longer  exposure  can  result  In  hearing  loss.  A Cat- 
egory II,  Marginal,  hazard  classification  was  assigned  to  this  safety 
area.  The  hazard  can  be  countered  by  locating  the  compressor  In  a 
separate  room  from  the  rest  of  the  plant  or  ensuring  that  personnel 
wear  effective  sound  attenuators  In  the  space  which  contains  the  air 
compressor.  Display  noise  hazard  area  placards  In  the  air  compressor 
space. 

n.  Proximity  of  Incompatible  Systems/Components.  The  liquid 
oxygen  storage  vessel  pressure  relief  valve  Is  mounted  on  the  cold  box 
above  the  Instrument/control  panel.  When  the  relief  valve  opens,  liquid 
oxygen,  at  -297°F,  is  sprayed  In  the  control  panel  area.  A Category  IV, 
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Catastrophic,  hazard  classification  was  assigned.  This  most  serious 
hazard  can  be  effectively  countered  by  relocating  the  relief  valve 
and  installing  vent  piping  to  duct  storage  vessel  blow-off  oxygen  to 
the  atmosphere  outside  the  plant  enclosure. 

o.  Personnel  Ingress/Egress.  The  LOX-30  requires  access  to 
all  modules  of  the  plant  for  scheduled  and  corrective  maintenance. 

The  cryogenerator  winch  is  required  for  removal  of  the  condenser  head. 

A Category  I,  Negligible,  hazard  classification  was  assigned.  Ensure 
that  the  plant  installation  provides  sufficient  clearance  around  all 
modules  for  personnel  movement  and  equipment  maintenance. 

3.  HAZARD  CLASSIFICATION.  The  Observed  Hazard  Analysis  yielded 
fourteen  areas  which  exhibited  potential  safety  problems.  Four  poten- 
tial hazard  areas  were  classified  as  Category  I,  Negligible;  five  were 
assigned  Category  II,  Marginal;  and  four  were  assigned  Category  III, 
Critical.  The  safety  area  Proximity  of  Incompatible  Systems/Components 
was  assigned  a Category  IV,  Catastrophic,  hazard  classification  due  to 
the  location  of  the  cold  box  liquid  oxygen  storage  tank  relief  valve. 

The  hazard  classification  assigned  to  each  observed  safety  area  is  shown 
in  Table  II. 


TABLE  II 

OBSERVED  HAZARD  CLASSIFICATION 

OBSERVED  AREA 

Operating  Control  Accessibility 
Low  Temperature  Surfaces 
Floor  and  Overhead  Obstructions 
Rotating  Machinery 
Personnel  Ingress/Egress 
Atmospheric  Contaminants 
High  Pressure  Fluids  and  Gases 
Static  Generating  Material 
High  Temperature  Surfaces 


HAZARD  CLASSIFICATION 


I 

I 

I 

I 

II 
II 
II 
II 


Noise 


II 
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TABLE  II  (CONT.) 
OBSERVED  HAZARD  CLASSIFICATION 


OBSERVED  AREA 


HAZARD  CLASSIFICATION 


Electric  Shock 

Toxic  Material 

Mechanical  Vibration 

Equipment  Physical  Stability 

Proximity  of  Incompatible  Systems /Components 


III 

III 

III 

III 

IV 


4.  Discussion  and  Resolution  of  observed  hazards  provided  as 
attachment.  Appendix  F. 
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VI.  CONCLUSIONS 

A.  The  existing  location  of  the  LOX-30  liquid  oxygen  storage  tank 
relief  valve  presents  a severe  safety  hazard  to  operating  personnel. 

B.  Except  as  noted  above,  the  LOX-30  Liquid  Oxygen  Generator  Is  func- 
tionally safe  for  producing  liquid  oxygen  with  minimal  hazard  to 
attending  personnel. 

C.  The  propensity  of  the  air  compressor  and  cryogenerator  engine  to 
sustain  severe  damage  If  not  properly  operated  and  maintained  makes 
comprehensive  maintenance  training  and  complete,  lucid  technical 
manuals  mandatory. 

D.  The  Safety  Analysis  Identified  four  Category  I,  Negligible,  haz- 
ards; nine  Category  II,  Marginal,  hazards;  thirteen  Category  III, 
Critical,  hazards;  and  one  Category  IV,  Catastrophic,  hazard. 
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VII.  RECOMMENDATIONS 


A.  Install  shield  around  storage  vessel  relief  valve  to  prevent 
spraying  of  liquid  oxygen  on  operating  personnel. 

' ii 

B.  Develop  a comprehensive  LOX-30  maintenance  training  course. 

f 

C.  Ensure  the  availability  of  complete,  accurate  technical  publi- 
cations covering  maintenance  and  operating  procedures. 

D.  Ensure  that  covers  are  Installed  over  floor  level  plumbing  and 
electrical  cabling;  ensure  that  conduit  Is  Installed  on  electrical 
cables. 

E.  Install  vibration  adsorber  at  the  output  of  the  air  compressor. 

F.  Locate  the  air  compressor  to  reduce  the  noise  level  In  the  cryo- 
genic equipment  space  or  ensure  that  sound  attenuators  are  worn 

, by  operating  personnel. 

I 

G.  Ensure  adequate  ventilation  of  plant  spaces  to  preclude  atmos- 
pheric contamination  by  nitrogen  and/or  oxygen. 

H.  Replace  plumbing  connecting  flange  studs  with  machine  bolts 
secured  by  metal  stop  nuts. 

I.  Securely  attach  cold  box  stands  to  the  cold  box. 

r 

I J.  Ensure  the  use  of  protective  clothing  by  plant  operating  personnel. 

[ K.  Display  warning/advisory  placards  to  Indicate  system  pressures,  vol- 

f tages  and  high/low  temperature  areas  as  required  In  equipment  operational 

spaces;  include  applicable  first  aid  posters. 

L.  Install  non-conducting  rubber  matting  at  all  consoles  and  control 
stations. 

M.  Replace  hampsonmeter  with  a differential  pressure  gauge  on  the  cold 
box  control  panel. 
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5.  Discussion  and  Resolution  of  Fault  Hazards 

The  following  discussion  Is  provided  to  present  the  actions  antici- 
pated to  resolve  the  safety  hazards  reported  In  the  Fault  Hazard  Analysis. 

a.  Prior  to  beginning  reliability  testing,  a switch  was  Installed  In 
the  heater  circuit  which  Is  actuated  by  the  operation  of  the  Regenerating 
Gas  Heater  Valve  (760).  This  switch  prevented  operation  of  the  heater 
elements  unless  Valve  (760)  was  In  a position  to  direct  the  tall  gas 
flow  over  the  electric  heater  elements.  This  modification  shall  be  Incor- 
porated on  the  production  equipment  and  will  negate  the  possibility  of 
heater  element  burn  out  due  to  a failure  of  Valve  (760).  (See  Paragraph 
E.3.a.  for  hazard.) 

b.  An  over-temperature  cutout  switch  should  be  Installed  In  the  elec- 
trical heater  circuit  to  prevent  heater  element  burn  out  In  the  event  the 
thermostat  switch  (TC-4)  falls  to  open  at  300°C  or  regenerating  gas  flow 
Is  Interrupted  for  any  reason.  The  contractor  will  be  requested  to  Incor- 
porate an  over-temperature  switch  Into  the  production  design.  (See  Para- 
graph E.3.b.  for  hazard.) 

c.  Safety  Thermostat  (TA-5)  Is  required  to  close  only  In  the  event  of 
a regenerating  gas  heater  failure.  The  switch  system  to  be  Installed  on 
the  Regenerating  Gas  Heater  Valve  (see  Paragraph  5. a.)  will  contain  a 
"heater  on"  light  to  provide  a visual  Indication  that  the  heater  elements 
are  operative.  This  should  eliminate  the  possibility  of  operating  the 
equipment  with  unheated  regenerating  gas  If  the  heater  and  safety  thermo- 
stat fall.  (See  Paragraph  E.5.c.  for  hazard.) 

d.  Tall  Gas  Relief  Valve  (901)  - During  plant  operation  Valve  (901) 
and  the  Column  Pressure  Relief  Valve  (900)  are  protecting  the  same  gas 
piping.  If  Valve  (901)  failed  to  open  at  the  specified  pressure,  Valve 

(900)  would  act  as  a back-up  relief  and  open  before  pressure  In  the 
plumbing  and  rectification  column  Increased.  In  the  event  of  a failure 
of  Valve  (901)  to  close  after  opening,  any  significant  amount  of  gas 
(nitrogen  In  this  case)  venting  to  the  atmosphere  would  cause  a notice- 
able drop  In  regenerating  gas  flow  which  would  be  Indicated  on  the  regen- 
erating gas  flow  meter.  In  addition,  all  safety  relief  valves  are  to  be 
checked  on  a scheduled  basis  as  listed  In  the  equipment  maintenance  plan. 
In  view  of  the  above.  It  Is  considered  unlikely  that  a failure  of  Valve 

(901)  would  develop  Into  a hazardous  situation  and  no  further  action  Is 

'*  ••  considered  necessary  at  this  time.  (See  Paragraph  E.3.d.  for  hazard.) 

e.  Column  Pressure  Relief  Valve  (900)  - During  temporary  shut-downs. 
Valve  (900)  and  the  Tall  Gas  Relief  Valve  (901)  are  protecting  the  same 
gas  piping.  If  Valve  (900)  failed  to  open  at  the  specified  pressure. 

Valve  (901)  would  act  as  a back-up  relief  and  open  before  any  excess 
pressure  built  up.  In  the  event  that  a system  failure  during  shut-down 
did  cause  Valve  (900)  to  relieve  and  this  valve  did  fall  to  close  and 
boll-off  of  column  liquid  did  occur,  the  liquid  level  gauge  would  Indi- 


cate this  drop  In  liquid  level.  Operating  personnel  are  required  to 
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compare  the  existing  liquid  level  to  the  level  at  initial  plant  shut-down 
before  plant  operation.  If  this  comparison  reveals  that  a minimum  ratio 
has  not  been  maintained,  all  liquids  must  be  drained  and  the  equipment 
must  be  derlmed.  In  addition,  all  safety  relief  valves  are  to  be  checked 
on  a scheduled  basis  as  listed  in  the  maintenance  plan.  In  view  of  the 
above,  it  is  considered  unlikely  that  a failure  of  Valve  (900)  would 
develop  into  a hazardous  situation  and  no  further  action  is  considered 
necessary  at  this  time. 

f.  Float  Controlled  Column  Inlet  Valve  (120)  - If  Valve  (120)  failed 
by  sticking  in  the  open  position,  a reduction  in  product  purity  would 
occur.  This  would  be  caused  by  the  Increased  flow  through  the  plant  not 
allowing  enough  time  for  the  rectification  process  to  take  place.  The 
Increased  flow  would  also  cause  an  Increase  in  the  storage  tank  and  col- 
umn liquid  levels  which  would  be  indicated  on  the  liquid  level  gauge. 
Eventually,  if  the  operator  has  not  corrected  this  situation,  the  Increased 
flow  would  cause  the  cryogenerator  helium  pressure  to  rise  to  the  high  pres- 
sure cutout  limit  and  shut-down  the  equipment.  If  Valve  (120)  failed  by 
sticking  in  the  closed  position,  there  would  be  a reduction  in  the  conden- 
ser head  temperature  due  to  a reduced  air  flow.  This  temperature  reduc- 
tion would  cause  a reduction  in  the  column  inlet  pressure  which  would 
indicate  on  the  inlet  pressure  gauge.  Also,  this  condition  would  cause 
a reduction  in  the  storage  tank  liquid  level,  regenerator  tall  gas  flow 
and  product  purities  which  would  all  indicate  on  individual  gauges.  Even 
if  the  operator  falls  to  take  action,  this  equipment  has  operated  in  a 
reduced  flow  condition  for  two  days  without  sustaining  any  damage.  It 
is  probable  that  a prolonged  reduced  flow  situation  could  cause  the  cryo- 
generator helium  pressure  to  reach  the  lower  cutout  limit  and  shut-down 
the  equipment. 

Due  to  the  safety  devices  and  numerous  failure  Indications  listed 
above,  it  is  considered  unlikely  that  the  failure  modes  listed  above 
would  develop  into  a hazardous  situation.  Therefore,  no  further  action 
is  anticipated  on  this  situation  at  this  time.  (See  Paragraph  E.3.f. 
for  hazard.) 

g.  Float  Controlled  Transfer  Valve  (236)  - If  Valve  (236)  failed  by 
sticking  in  the  open  position,  flow  from  the  column  to  the  storage  tank 
would  Increase  and  there  would  be  insufficient  time  for  the  rectifica- 
tion process  to  take  place.  Therefore  product  purity  would  be  reduced. 

This  failure  would  cause  abnormal  readings  on  the  column  liquid  level 
gauge,  storage  tank  level  gauge  and  purity  monitor.  This  equipment  will 
operate  with  reduced  purity  but  without  damage  in  this  failure  mode  until 
corrections  by  operating  personnel  can  be  made.  If  Valve  (236)  failed  by 
sticking  in  the  closed  position,  the  column  liquid  level  would  rise  and 
provide  a highly  abnormal  rise  on  the  column  level  liquid  gauge.  Also, 
this  failure  would  cause  a closure  of  Valve  (120).  The  results  and  indi- 
cations caused  by  this  occurrence  are  listed  in  the  preceding  paragraph. 

In  view  of  the  above,  it  is  considered  unlikely  that  a failure  of  Valve 
(236)  would  develop  into  a hazardous  situation  for  equipment  or  personnel. 
Therefore,  no  further  action  is  anticipated  at  this  time.  (See  Paragraph 
E.3.g.  for  hazard.) 
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h.  Storage  Tank  Vent  Valve  (281)  and  Storage  Tank  Production 
I Transfer  Valve  (240)  - Valves  (281)  and  (240)  are  manual  valves  con- 

trolled by  operating  personnel.  Failure  of  these  valves  to  be  opened 
or  closed  as  required  would  cause  abnormal  readings  on  the  storage  tank 
liquid  level  and  pressure  gauges  or  be  noticed  by  the  operator's  Inabll- 
« ity  to  move  the  valve  handle.  Operators  can  take  Immediate  action  to 

alleviate  the  situation  by  securing  the  equipment  and  repairing  valves 
as  required.  Also,  any  excess  pressure  build-up  caused  by  a failure  of 
' these  valves  would  be  relieved  by  Storage  Tank  Relief  Valve  (911),  there- 

fore possible  equipment  damage  is  considered  unlikely.  No  action  Is 
being  contemplated  on  these  situations  at  this  time.  (See  Paragraph 
E.3.h.  and  E.3.1.  for  hazards.) 

I.  Storage  Tank  Relief  Valve  (911)  - If  Valve  (911)  would  fall  to 
open  during  a short  duration  shut-down,  either  Relief  Valve  (901)  or 
(900)  would  act  as  a back-up  and  relieve  any  excess  pressure  In  the  sys- 
tem. Transfer  of  liquid  product  to  a pressurized  external  receptacle  Is 
a limited  requirement  and  would  require  an  operator  to  utilize  Storage 
Tank  Vent  Valve  (281)  to  control  pressure  In  Internal  storage  tank.  In 
this  Instance,  the  operator  must  maintain  constant  surveillance  of  inter- 
nal storage  tank  pressure  and  open  Valve  (281)  before  excess  pressure  can 
build  and  cause  Valve  (911)  to  open.  (Note:  Normal  filling  of  storage 
tanks  Is  not  done  under  pressure.)  If  Valve  (911)  falls  to  close  after 
opening  any  excessive  liquid  boil-off  would  be  noticeable  on  the  liquid 
level  gauge  and  the  procedures  of  comparison  of  liquid  levels  and  derlm- 
Ing  of  the  plant  described  In  section  e.  above  would  apply.  All  Relief 
Valves  are  to  be  checked  on  a scheduled  basis  to  ensure  proper  operation. 
In  view  of  the  above.  It  Is  considered  unlikely  that  a failure  of  Valve 
(911)  would  develop  Into  a hazardous  situation  and  no  further  action  Is 
planned  at  this  time. 

J.  Cryogenerator  Oil  Pressure  Switch,  Helium  Pressure  Cutout  Switch 
and  Differential  Pressure  Switch  - These  switches  are  safety  devices 
which  only  activate  in  the  event  of  failure  of  another  system  within  the 
equipment.  The  switches  are  checked  before  every  plant  operation  as 
part  of  the  pre-start  Inspection  as  cited  on  the  maintenance  plan.  In 
the  event  of  a concurrent  failure  of  the  primary  system  and  safety  device, 
the  hazard  of  equipment  or  personnel  damage  would  be  mitigated  by  other 
safety  devices,  operator  surveillance,  etc.  as  specified  in  the  hazard 
classifications.  No  action  Is  being  contemplated  on  these  situations 

at  this  time.  (See  Paragraph  E.3.k. , E.3.1.  and  E.3.m.  for  hazards.) 
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2.  Current  Integrated  logistic  support  planning  includes  development 
of  Improved  operation  and  maintenance  manuals  for  all  levels  of  Naval 
personnel  Involved  with  this  equipment.  Also  being  planned  is  exten- 
sive operational  and  maintenance  training  of  Naval  Instructors,  depot 
level  maintenance  personnel,  and  all  Naval  operating  personnel.  Con- 
sult Integral  Logistic  Support  Plan  No.  CGSE  0238 :AA  for  any  additional 
information  which  is  required. 
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15.  Discussion  and  Resolution  of  Observed  Hazards 

The  following  discussion  is  provided  to  present  the  actions  antici- 
pated to  be  taken  to  resolve  the  safety  hazards  reported  in  the  Observed 
Hazard  Analysis. 

! a.  Electric  Shock  - All  components  of  the  LOX-30  system  shall  be 

Inspected  prior  to  initial  operation  in  order  to  insure  that  the  proper 
electrical  grounding  and  bonding  has  been  accomplished.  The  operating 
area  shall  also  be  inspected  for  appropriate  voltage  level  and  safety 
procedure  placards.  (See  Paragraph  H.2.a.  for  hazard.) 

b.  High  Temperature  Surfaces  - All  high  temperature  surfaces  on 
this  equipment  are  remote  from  the  operator's  area.  Requirements  for 
personnel  to  be  in  these  hazard  areas  is  limited  and  would  be  restricted 
to  trained  personnel  who  are  familiar  with  the  equipment  design  and 
operation.  Considering  these  factors,  personnel  contact  with  high  tem- 
' perature  surfaces  is  considered  unlikely.  In  view  of  the  above,  no 

equipment  modification  is  considered  required  on  this  observed  hazard, 
j Warning  shall  be  Incorporated  in  appropriate  technical  manuals.  (See 

Paragraph  H.2.b.  for  hazard.) 

c.  Low  Temperature  Surfaces  - During  operation  of  this  equipment, 
operating  personnel  are  not  required  to  enter  the  area  where  low  tem- 
perature surfaces  are  present.  Operators  must  enter  this  area  only 
when  connection  or  disconnection  of  the  liquid  supply  line  is  required. 

At  this  time,  operators  are  required  by  NAVAIRINST  to  wear  protective 
clothing  for  handling  of  liquid  oxygen.  This  procedure  would  be 
carried  out  only  by  trained  personnel  who  are  familiar  with  this  equip- 
ment design  and  operation.  In  addition,  any  hazardously  cold  surfaces 
would  be  self-indicating  by  development  of  a layer  of  frost  or  ice  at 
the  cold  spot.  In  view  of  the  above,  and  the  low  hazard  classification, 
no  equipment  modification  is  considered  required  on  this  observed  hazard. 
Warnings  shall  be  Incorporated  in  appropriate  technical  manuals.  (See 
Paragraph  H.2.c.  for  hazard.) 

d.  High  Pressure  Fluids  and  Gases  - Medium  and  low  pressure  gages 
and  fluids  are  required  for  proper  operation  of  this  equipment.  This 
equipment  will  be  operated  by  personnel  trained  in  the  system  operation 
and  design.  These  personnel  will  be  familiar  with  the  various  fluid 
flows  and  pressures  present  in  the  plant.  Considering  the  above  and 
that  only  medium  and  low  pressures  are  present,  no  equipment  modifica- 
tion is  considered  required  on  this  observed  hazard.  Warnings  shall 
be  Incorporated  in  appropriate  technical  manuals.  (See  Paragraph 
H.2.d.  for  hazard.) 

e.  Static  Generating  Material  - Numerous  safety  manuals  and  instruc- 
tion at  the  Navy  School  of  Cryogenics  advocate  operating  and  maintenance 
personnel  wearing  cotton  clothing  in  the  liquid  oxygen  generator  environ- 
ment. Protective  clothing  for  handling  of  liquid  oxygen  is  covered  by 
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NAVAIR  instruction.  Warning  placards  can  be  placed  In  equipment  opera- 
tional area  as  required,  but  no  equipment  modification  Is  considered 
necessary.  (See  Paragraph  H.2.e.  for  hazard.) 

f.  Toxic  Materials  - Due  to  the  toxic  liquid  required  for  operation 
of  the  hampsonmeter,  a pressure  differential  gauge  shall  be  utilized  to 
replace  the  hampsonmeter  on  production  units.  (See  Paragraph  H.2.f.  for 
hazard. ) 


g.  Mechanical  Vibration  - An  adequate  vibration  dampening  system  was 
not  supplied  with  prototype  unit  at  time  of  Installation  at  NAVAIRENGCEN . 

A temporary  vibration  dampener  system  was  utilized  by  this  activity  and 
it  failed  twice.  An  adequate  dampening  system  was  received  subsequent  to 
all  testing  and  was  delivered  with  equipment  to  NAF  Slgonella.  The  pro- 
per dampening  system  will  be  provided  with  all  production  units.  (See 
Paragraph  H.2.g.  for  hazard.) 

h.  Floor  and  overhead  obstructions  were  peculiar  to  NAVAIRENGCEN 
testing  facility.  Proper  surveillance  of  facilities  installation  planning 
will  prevent  these  obstructions  reoccurring  at  the  Fleet  activities.  (See 
Paragraph  H.2.h.  for  hazard.) 

i.  Rotating  Machinery  - Cover  shields  on  the  cryogenerator  drive 
motor  and  compressor  drive  belts  are  to  be  inspected  on  a scheduled  basis 
as  listed  on  the  equipment  maintenance  plan.  This  will  be  included  in 
appropriate  technical  publications.  (See  Paragraph  H.2.i.  for  hazard.) 

J.  Equipment  Physical  Stability  - Elevation  stands  are  required  on 
the  LOX-30  liquid  oxygen  plant  to  allow  a common  base  unit  for  the  cryo- 
generator to  be  used  on  both  the  LOX-30  and  PLN-430  liquid  nitrogen 
plant.  These  stands  will  be  securely  attached  to  the  cold  box  on  pro- 
duction units.  A requirement  for  alignment  of  the  cryogenerator  with 
the  cold  box  precludes  securing  the  leveling  stands  to  the  deck  for 
additional  stability.  (See  Paragraph  H.2.j.  for  hazard.) 

k.  All  installation  planning  will  be  reviewed  to  insure  that  pro- 
per ducting  of  vent  gases  is  achieved.  (See  Paragraph  H.2.1.  for  haz- 
ard.) 


l.  On  all  production  units,  a shield  shall  be  placed  around  the 
storage  vessel  relief  valve  to  prevent  spillage  of  LOX  on  the  operator 
if  the  relief  valve  opens.  (See  Paragraph  H.2.n.  for  hazard.) 

m.  Activities  installation  drawings  should  be  reviewed  to  insure 
that  all  modules  have  sufficient  clearance  for  personnel  movement  and 
equipment  maintenance.  (See  Paragraph  H.2.o.  for  hazard.) 
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